CVE-2026-45106 — Weblate: Stored HTML injection in editor search preview

Description

### Impact Weblate's live search preview renders unit `source` and `context` as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. ### Patches * https://github.com/WeblateOrg/weblate/pull/19422 ### Workarounds Only the search preview on the selected views is affected. ### Resources Weblate thanks @adrgs for reporting this issue responsibly via GitHub.

How to fix CVE-2026-45106

To remediate CVE-2026-45106, upgrade the affected package to a fixed version below.

—upgrade to 2026.5 or later

Is CVE-2026-45106 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45106.

Affected packages (1)

from 0, < 2026.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-45106
PATCHgithub.com/WeblateOrg/weblate
WEBgithub.com/WeblateOrg/weblate/commit/8b0adf1d0b43dfc0d09da4b878857b2288b84f2d
WEBgithub.com/WeblateOrg/weblate/pull/19422